Every WhatsApp voice note processed by the WhatsApp AI agent is transcribed, stored as text, and used to create workspace records. Each of these steps processes personal data. GDPR requires a lawful basis. The most appropriate basis — consent — requires that users know their voice notes will be transcribed before they send them.
Key Analysis
Processing a voice note with STT constitutes processing of personal data under GDPR — voice data is biometric data under GDPR Article 9 if used to identify a person.
The lawful basis for transcription is most defensibly 'legitimate interests' (Article 6(1)(f)) where the processing is necessary for legal practice management and proportionate to the privacy impact.
Retention of transcripts must be governed by a defined policy — transcripts should not be retained longer than the workspace item they relate to.
Risk Signals
Transcribing voice notes without informing users that transcription occurs.
Retaining transcripts indefinitely without a documented retention policy.
Using voice data for purposes beyond the original legal workflow — such as training a voice recognition model.
Action Items
Disclose voice note transcription in the privacy notice and at session start.
Define and document the retention period for transcripts (suggested: same as the linked workspace item).
Never use voice data for purposes beyond the stated legal workflow without explicit consent.